Your data safety is our piority

Below are two website-ready draft articles for Escom Sourcing. I wrote them so you can use them as full pages, or split them into sections across multiple pages. They are based on common practices used by procurement, sourcing, inspection, supplier-audit, and cross-border service companies, and aligned to the major privacy and compliance frameworks that matter for a China–Hong Kong–Singapore–EU–US-facing business. The legal references I relied on include the GDPR and EU SCCs, Singapore’s PDPA and transfer rules, Hong Kong’s PDPO guidance, China’s PIPL and cross-border transfer framework, and common US privacy practice such as the CCPA/CPRA. Similar sourcing and assurance businesses also commonly frame their services around supplier due diligence, procurement inspection, ESG audits, and supply-chain mapping.  


You should still have local counsel in China, Hong Kong, Singapore, and the EU review the final version before publication or contract use, especially for jurisdiction, complaint-handling, retention, and cross-border transfer wording.




1) Data Protection and Privacy Terms

Escom Sourcing Data Protection, Privacy and Cross-Border Data Transfer Policy


Escom Sourcing is a brand operated by Yikai Weilai Kei (Chengdu) Co., LimitedEscom Co Limited, and Escom Mav Pte. Ltd. We recognize that our clients entrust us with highly sensitive business information, including contact details, supplier information, quotations, technical specifications, samples, orders, quality records, logistics details, certifications, compliance files, and other commercial data. We treat that trust as a core operating responsibility.


We are committed to handling personal data and business information lawfully, fairly, transparently, and securely, and to applying a high standard of protection across the jurisdictions in which we operate or serve clients. Our approach is designed to align with the core principles found in the EU General Data Protection Regulation, including lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.  



1. Who this policy applies to

This policy applies to personal data and related business information that we collect or process in connection with our sourcing, procurement, supplier validation, product development, quality control, logistics coordination, warranty support, ESG review, and related commercial services. It applies to data concerning:


  • clients and prospective clients,
  • client representatives and employees,
  • suppliers, factories, subcontractors and service providers,
  • logistics partners, inspection partners and laboratories,
  • website visitors, marketing contacts, and business leads,
  • any other individuals whose personal data is reasonably required for legitimate business operations.

In practice, this means we may process both ordinary contact data and business-context data, such as names, job titles, work email addresses, telephone numbers, shipping contacts, billing contacts, passport or identity information where legally required for customs, certification, travel, audit or contract purposes, and records linked to orders, inspections, claims or disputes. Singapore’s PDPA expressly covers personal data used in commercial relationships, while the GDPR and PIPL both require a lawful and clearly defined basis for handling personal information.  



2. What data we collect

We only collect data that is reasonably necessary for a defined business purpose. Depending on the engagement, this may include:


  • company and contact details,
  • procurement requirements and product specifications,
  • factory, supplier and subcontractor information,
  • quotations, purchase orders, invoices and payment records,
  • quality reports, audit findings and corrective action records,
  • shipping, warehousing, customs and delivery details,
  • technical drawings, packaging files, product compliance files and certifications,
  • website enquiry submissions, newsletter sign-ups, cookies and site analytics,
  • communications through email, phone, messaging apps, forms and meetings.

Where a service requires elevated due diligence, we may also handle more sensitive operational information, including supply-chain maps, contractual records, compliance risk notes, or ESG documentation. Our rule is simple: if the information is not needed to deliver the service, protect legal rights, comply with law, or prevent fraud and abuse, we should not collect it. This reflects the data-minimisation principle under the GDPR and the minimum-necessity principle reflected in China’s PIPL.  



3. Why we process data


We process personal data and related business data for legitimate and clearly identified business purposes, including:


  • responding to enquiries and onboarding clients,
  • scoping sourcing and procurement projects,
  • identifying, evaluating and managing suppliers,
  • coordinating quotes, orders, samples, inspections and deliveries,
  • arranging factory visits, audits, tests and certifications,
  • managing contracts, billing, finance, tax and records,
  • maintaining service quality, internal controls and dispute resolution,
  • complying with sanctions, customs, export-control, anti-fraud, anti-bribery, and other legal obligations,
  • improving service performance, training, systems and client experience,
  • sending relevant business communications where permitted by law.

Under the GDPR, organizations must have a lawful basis for processing personal data. Under Singapore’s PDPA and China’s PIPL, organizations must also define the purpose of collection, use and disclosure, and limit processing to what is reasonable and necessary for that purpose.  



4. Confidentiality and commercial sensitivity

Because Escom Sourcing operates in procurement and supply-chain management, much of the information we handle is commercially sensitive even where it does not qualify as personal data. We therefore apply confidentiality controls not only to personal data, but also to non-public business information, including:


  • order prices and commercial terms,
  • supplier lists and sourcing strategies,
  • product concepts, drawings and prototypes,
  • quality records and defect analysis,
  • client sales channels and market plans,
  • logistics routes, warehousing and demand schedules.

Our personnel, affiliates, contractors and approved service providers are expected to access such information strictly on a need-to-know basis and only for authorized business purposes. Similar supplier-management and procurement organizations commonly structure their privacy and vendor notices around relationship management, controlled disclosure, and contract-based processor obligations.  



5. Legal bases and consent model


Where required by applicable law, we rely on one or more of the following grounds:


  • performance of a contract or steps requested before entering into a contract,
  • compliance with legal or regulatory obligations,
  • legitimate interests in operating, securing and improving our business and services,
  • consent, where consent is required or is the most appropriate basis,
  • protection of legal rights, claims, safety or fraud prevention.

We do not rely on consent where another lawful basis is more appropriate for a business-to-business operational relationship. Where consent is used, it may be withdrawn subject to applicable law and operational limitations. This is consistent with the structure of the GDPR, PDPA and PIPL, each of which recognizes that consent is important but not the only legal basis for lawful processing.  


6. Cross-border data transfers


As a cross-border sourcing business, Escom Sourcing may transfer or make accessible certain personal data and related business records between Mainland China, Hong Kong SAR, Singapore, the European Economic Area, the United Kingdom, the United States, and other jurisdictions where our group companies, clients, suppliers, logistics partners, auditors, testing laboratories, cloud providers, or professional advisers operate.


When such transfers occur, we apply safeguards appropriate to the destination, the type of data, the purpose of transfer, and the relevant legal framework. For EEA-origin data, we may rely on adequacy decisions where available, or use the European Commission’s Standard Contractual Clauses and related supplementary measures where required. Under Singapore’s PDPA, overseas transfers must be made only where the receiving destination provides a comparable standard of protection or another lawful basis applies. In Hong Kong, the PCPD recommends contract-based controls for cross-border transfers and for the use of data processors. In Mainland China, cross-border personal information transfers are governed by PIPL and the outbound transfer framework, which may require one of the recognized compliance pathways depending on the scenario.  


For practical purposes, this means we aim to transfer the minimum data needed, document the transfer rationale, contractually bind processors and recipients where necessary, assess risks in higher-risk transfer scenarios, and localize or segregate data where the legal environment or client requirements make that appropriate.



7. Our processor and vendor controls


Where we engage third parties to process data on our behalf, we require them to act only on documented instructions, maintain appropriate technical and organizational security measures, limit access, support rights requests where applicable, notify us of incidents as required, and impose equivalent controls on any authorized sub-processors.


This reflects the processor-management model common under the GDPR, Hong Kong PDPO guidance, and supplier privacy frameworks used by larger enterprises. We also expect confidentiality, secure deletion, and return-or-destroy obligations where applicable at the end of a service relationship.  



8. Security measures


We maintain administrative, technical and organizational measures appropriate to the nature of the data and the risks involved. These measures may include:


  • access controls and role-based permissions,
  • password and authentication controls,
  • secure file storage and transfer procedures,
  • contractual confidentiality obligations,
  • vendor and processor due diligence,
  • device and system security controls,
  • limited-retention policies,
  • incident response and escalation procedures,
  • staff awareness and privacy training.

No organization can promise absolute security, but we are committed to taking practical, proportionate and continuously improving measures to protect against unauthorized access, disclosure, alteration, misuse, loss or destruction. Hong Kong’s PDPO expressly requires practical steps to protect personal data, while GDPR integrity/confidentiality and accountability principles require demonstrable security governance.  



9. Data retention


We keep personal data and related business records only for as long as reasonably necessary for the purpose for which they were collected, or for longer where required by contract, law, finance, tax, customs, dispute, insurance, audit, anti-fraud, or regulatory obligations.


When data is no longer needed, we aim to delete, anonymize, archive, or securely restrict it according to our retention schedule and the applicable laws of the relevant entity and jurisdiction. Storage limitation is a core GDPR principle, and similar purpose-linked retention logic is also reflected in other major privacy regimes.  



10. Individual rights


Where applicable under law, individuals may have rights to:


  • request access to personal data,
  • request correction of inaccurate data,
  • request deletion where legal grounds exist,
  • withdraw consent where consent is relied upon,
  • object to certain processing,
  • request restriction or portability where applicable,
  • complain to a competent authority.


These rights vary by jurisdiction and by the role we play in relation to the data. For example, the GDPR provides a broad set of rights for EU data subjects, while California law gives consumers rights to know, delete, correct, and exercise control over certain uses of personal information. We will handle verified requests in accordance with the laws that apply to the relevant entity and processing activity.  



11. Children’s data and sensitive information


Our services are designed for commercial and business users. We do not knowingly market our services to children or intentionally collect children’s personal data except where strictly necessary and legally permitted in a specific operational context.


Where a project may involve higher-risk or more sensitive categories of information, we apply a stricter internal review, narrower access, stronger contractual controls, and, where required, additional notices, lawful basis assessment, or transfer measures. China’s PIPL and the GDPR both impose heightened expectations for more sensitive or higher-risk processing scenarios.  



12. Marketing communications


We may send business updates, service information, event invitations, and industry insights where permitted by applicable law and in line with our legitimate business interests or the relevant consent requirements. Recipients can opt out of non-essential marketing communications at any time using the unsubscribe method provided or by contacting us directly.


We do not sell personal data. We do not use client order information, supplier pricing, or sourcing records for unrelated commercial exploitation.



13. International group operations


Because Escom Sourcing is operated through entities in multiple jurisdictions, personal data may be handled by the group entity best placed to deliver the relevant service, manage the client relationship, process billing, perform supplier due diligence, coordinate logistics, or provide local account support.


Our intention is to operate a group-wide standard that is high enough for cross-border procurement work while still respecting local legal requirements. Where local law imposes stricter standards, those stricter standards should prevail for the affected processing activity.



14. Incident response and breach handling


If we become aware of a personal data incident or a material confidentiality breach affecting client or supplier information, we will investigate promptly, contain the issue, assess the likely impact, and take required remedial steps. Where notification is required by law or contract, we will notify affected clients, individuals, regulators, or counterparties in accordance with those obligations.



15. Policy updates


We may update this policy from time to time to reflect changes in law, guidance, technology, service design, or our operating model. Updated versions should be posted with a revised effective date. Because privacy law is evolving, particularly around cross-border transfers and processor management, periodic review is part of our accountability framework.  



16. Practical short version for website footer or contact page



At Escom Sourcing, privacy is a business-control priority. 


We protect client and supplier data through purpose limitation, minimum-necessary access, processor controls, secure handling, and jurisdiction-aware cross-border transfer safeguards. We are committed to complying with applicable data protection laws in Mainland China, Hong Kong SAR, Singapore, the EU/EEA, and other relevant markets, including GDPR-aligned practices where required.